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I. INTRODUCTION 



The quantum key distribution (QKD) protocol provides a way for two remote parties 
(traditionally known as Alice and Bob) to share a secure random key by communicating over 
an open channel Alice and Bob publicly communicate over a quantum channel and 

then exchange messages over a classical channel that can be monitored but not tampered 
with by an eavesdropper (Eve). Quantum mechanics ensures that any activities of potential 
eavesdroppers can be detected. Even if some eavesdropping is found, Alice and Bob can 
further process the obtained key (the raw key) to extract a safe but much shorter key (the 
final key) by using a classical method of error correction (a reconciling protocol) and private 
amplification . A secure message of equal length to the final key can be transmitted over 
the classical channel by conventional encryption methods such as the one-time pad method 
0. The security of the encrypted communication depends directly on the security of the 
final key. 

Among the protocols proposed so far, the four-state scheme, usually referred to as the 
BB84 protocol [0, is claimed to be provably secure under the assumption that Alice uses 
a perfect single-photon source 0. In this protocol, Alice and Bob use two conjugate bases 
(say, a rectilinear basis, +, and a diagonal basis, x) for the polarization of a single photon. 
In basis +, they use two orthogonal states |0+) and |1+) to encode logical "0" and "1", 
respectively, and in basis x, |0x) (= (l/v^) [|0+) + |1+)]) and |lx) (= (1/V2) [|0+) - |1+)]). 
Alice transmits a random sequence of these states through their quantum channel and Bob 
measures each state with a basis randomly chosen from {+, x}. After transmission, the 
basis is revealed, which enables Bob to discard the data that Alice and Bob used a different 
basis to encode and decode and that provide inconclusive results to Bob. The remaining 
data, which is called the sifted key |jTO|, should agree for Alice and Bob and yield conclusive 
results for Bob. 

The key idea of the BB84 protocol is that simultaneous measurements of non-commuting 
observables for a single quanta are forbidden by quantum mechanical complementarity. For 
these non-commuting observables, the measurement of one observable made on the eigenstate 
of another observable inevitably introduces disturbance to the state because of the back 
reaction of the measurement. Since Eve has no a priori information about the randomly 
chosen bases of each bit in the sifted key, she is forced to guess which observable to measure 
for each photon. On average, half the time Eve will guess wrong and thus introduce a 
disturbance into the state. The disturbance can be detected as a bit error by comparing 
parts of the sifted key. 

The theoretical QKD schemes that have been proven secure against a wide class of attacks 
have involved the transmission of a single particle that is subject to quantum mechanics. On 
the other hand, there has been growing interest among researchers on quantum information 



processing using multi-photon states [|n|,|13l- Several authors have extended this idea and 
have recently proposed a QKD scheme that uses multi-photon states as a quantum carrier 
p!3Hl5[. All these authors used squeezed states, in which the key data are encoded on con- 
tinuous, conjugate observables of the field quadrature components. Hillery further suggested 
that any nonclassical field state is useful for quantum information processing and commu- 



nication [|1J]. In this paper, we show that quantum mechanics allows use of multi-photon 
states as a signal carrier in the BB84 protocol, and provide another example that supports 
Hillery's suggestion by showing that a secure BB84 protocol can be constructed by using 
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two nearly orthogonal coherent states and the superposition of these states (cat states). 

The organization of this paper is as follows. Section || reviews the BB84 protocol. The 
connection between the protocol and the information exclusion principle proposed by Hall 
16| is discussed and a comprehensive explanation of the principle of the BB84 protocol is 



given. The importance of an exact determination of information leakage to eavesdroppers 
is stressed and what is required for the BB84 protocol is explained. Section |T| is devoted 
to the main subject of this paper. The basic idea and the protocol of the QKD scheme 
using two coherent states and their superposed state are presented, and the principle and 
security of this scheme are discussed. Section is mainly devoted to discussion of the effect 
of channel loss and detector inefficiency for both the present scheme and the conventional 
scheme. In Sec. |V|, we summarize the main results of the paper. 



II. BB84 PROTOCOL 

The BB84 protocol can most clearly be understood in terms of the information exclu- 
sion principle |T^. This principle provides an information-theoretic description of quantum 



complementarity and imposes an upper bound on the sum of the information gain obtained 
from observation of complementary observables in a quantum ensemble. Consider two ob- 
servables A and i? of a quantum system with an A^- dimensional Hilbert space. They are 
said to be complementary if their eigenvalues are nondegenerate, and the overlap of any 
two normalized eigenvectors \aj) of A and \bj) of B satisfy |(aj|6j)| = l/\/iV; therefore, the 
eigenstates of A are equally weighted superpositions of the eigenstates of B, and vice versa. 
Thus, when the system is in an eigenstate of A, all possible outcomes of a measurement of B 
are equally probable; i.e., precise knowledge of the measured value of one observable implies 
maximal uncertainty of the measured value of the other. In such operator B is 



the generator of shifts in the eigenvalue of any eigenstate of A; exp{iBl) \aj) 
and vice versa, exp{iAm) \bj) 



0'{j+l)modN 



'{i—m) mod N 



Hall proved an inequality concerning information gain obtained by the measurement of 
complementary observables A and 5 on a system in arbitrary state p. Let p be a state 
of an given ensemble which is prepared with a priori probability pi in the known state 
Pi, so p = J2iPiPi- The initial entropy of the system is Hint = H{p) = —J2iPi^og2Pi 
(in bits). Given the conditional probability P{aj\pi) = tr{piAj) for obtaining outcome aj 
when measuring an observable A of the state prepared in pi, where Aj = \aj) {aj\, we 
can compute the a posteriori probability Q{pi\aj) for preparation pi by Bayes's theorem 
as Q{pi\aj) = P{aj\pi)pi/qj, where qj = J2iP{cij\Pi)Pi is the a priori probability for the 
occurrence of outcome aj. After the measurement, the average entropy (in bits) becomes 
Hfin = H{p\A) = —J2jQjJ2iQ{Pi\0'j)^og2Q{pi\aj). The average information gain (in bits) 
is J(p; A) = Hini - Hfin = H{p) - H{p\A) = -Y.iPi logs Pi + J2i Q(Pi|«i) log2 QipiWj); 
p!9| , |20[] this is also called the Shannon mutual information. Hall proved that the inequality 

np;A) + I{p;B)<2\og2m = \og2N (2.1) 

holds for the measurement of complementary observables A and 5 on a system in arbitrary 
state p, where ^ = max |(aj|6j)| = 1/VN |jl6|]. When iV = 2, inequality (|2.1|) means that the 
recoverable information can never exceed the maximal von Neumann entropy (S'max = 1) 
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bit of the system, which depends only on the dimension - the number of distinguishable 
pure states - of the Hilbert space in which the signal states lie. Inequality ( pTT|) states 
that the information gain corresponding to the measurement of an observable can be max- 
imized only at the expense of the information gains corresponding to the measurement of 
the complementary observable. Hall named inequality the information exclusion prin- 
ciple and showed that it is closely related to Heisenberg's uncertainty principle and Bohr's 
complementary principle . 

To see how the information exclusion principle relates to the BB84 protocol, let us briefly 
review the optimal eavesdropping strategy within an individual-attack scheme in which each 
signal carrier sent by Alice is independently subject to eavesdropping. In this strategy. Eve 
lets a probe of arbitrary dimensions interact with each signal carrier independently. As a 
result, each of her probes is correlated to a transmitted state and its partial information 
is imprinted onto the probe. She then delays her measurement and keeps the quantum 
information in her probes until she learns the bases used by Alice and Bob from their 
public announcement. She finally tries to extract as much information as possible about the 
transmitted states by measuring her probes. To avoid revealing herself in too straightforward 
a manner by introducing different error rates in the different bases (because the error rate 
should be independent of the basis if the errors are due to a random process). Eve applies 
a symmetric eavesdropping strategy that treats the two bases on an equal footing. This 
strategy has been shown to require a two-qubit probe - i.e., a quantum system with a 
four-dimensional Hilbert space - and to be optimal by Fuchs He proved that the joint 



unitary operation U acting on the Hilbert space of the carrier and probe is a state-dependent 
optimal quantum-cloning process [p^-|2^ that is given by 



(2.2) 

(2.3) 
(2.4) 



for X = +,x and m, n = 0, 1, where F + D = 1, and is the initial state of Eve's probe 

rx \ 

van / 



and 
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are 



ip^n'j is its normalized state after interaction. The four possible states of 

not necessarily orthogonal to each other, but all scalar products other than ^"'/'iil^oo/ 

V'oolV^ii) — (V^iolV'oi) — (V^oilV^io) = ^ must be zero and V must equal F — D in order to 
symmetrize the strategy ||25|| . 

Let us calculate the probabilities that Bob and Eve will correctly infer the state trans- 
mitted by Alice when Eve uses this eavesdropping strategy. These probabilities are charac- 
terized by the conditional probability P{i\i) of obtaining outcome j , given that state pi was 
transmitted by Alice. Suppose that Alice transmits either pox = |0x) (0x1 or pi^ = \lx) 
Bob's marginal density matrices p^, and Eve's, after the signal-probe interaction and 
without learning each other's measurement outcomes (nonselective measurement), are easily 
calculated as 
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(2.5) 
(2.6) 
(2.7) 
(2.8) 



where cr^„ 



and S{p) is a trace-preserving, completely positive, linear map of 
the density operators of Alice, and Eqs. ([2.5|)-(PTB|) define the unitary representation 
of this map. When Bob performs a standard measurement on the sifted key, the conditional 
probabilities of Bob's inference of his signal j when Alice sends signal i are, for x = +, x 
and i,i = 0, 1, 



P.^''m = tr{pg\jx){j.\) 



D 



(2.9) 



On the other hand. Eve's strategy is first to distinguish between two mutually orthogonal 
sets Si = {(JiQ, cTii} {i = 0, 1) that can be perfectly separated with a standard measurement. 
She next performs a measurement that distinguishes between a^Q and afi or between a^i and 
crfg, which are not necessary mutually orthogonal {traQQaf^ = traQ^afQ ^ 0), that gives the 
smallest possible error probability. This is the best she can do in terms of the information 
gained from the sifted key [^. It is well known that such a measurement is realized by 

^00 



standard measurement in the basis in the Hilbert space spanned by V'oo) ^"^^ "^ii) by 



V'oi / and V'lo / that straddles these vectors 



This measurement gives the conditional 



probabilities of Eve's inference of her signal j when Alice sends signal i as 



p^\3\^ = tT(piw;) 



i(i+^^, 



opt) 



i±V^ if^ = j 



2 



if i ^ j 



(2.10) 



where Pop* = t'^ — <7iil = t'^ |o"oi — ctioI = Vl — is the distance between cTqq and af-^ 
and between cTq^ and af^ in the trace-class norm, and IIq and 11^' are the projection- valued 
measures (PVMs) corresponding to the above detection strategy to distinguish between 
and pf^. (Eve also knows when Bob has received an error) pl|j33| -p6|. Finally, upon assuming 
equal a priori probabilities po+ = Pi+ = Pox = Pix, Bob's average probability (a posteriori 
probability) of correct (incorrect) inference of the state transmitted by Ahce, (Qf ), is 
given by | (^P^^{j\i) + P^^{j\i)^ with i = j {i ^ j) and Eve's average probability, Qf (Qf), 

is given by i (P_^^(j|i) + P^^{j\i)) with i = j {i ^ ]). Thus, = 

gives Bob's and Eve's fidelity, respectively, and = and Qf 



i+v 
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2 and Qf 
= i^v|Ev! gives Bob's 
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and Eve's error probability, respectively. = — Qf = V and = Qf — Qf = Vopt 



are convenient measures of Bob's and Eve's information gain Since these measures 

satisfy (G^) + (G^) = V^^^ + = 1, there is a trade-off relation between Bob's and 
Eve's information gain. 

From an information-theoretic point of view, the mutual information Iab between Alice 
and Bob and Iae between Alice and Eve concerning Alice's message is more appropriate 
for evaluating Bob's and Eve's knowledge about the sifted key. Mutual information is the 
measure of information successfully transmitted from input to output. Since Alice and Bob, 
in general, cannot distinguish between errors caused by eavesdroppers and errors caused by 
the environment, they have to assume that all errors are due to potential eavesdroppers. 
As long as Bob's error rate, Qf , is small, the errors can be accepted and corrected by 
legitimate users. As a result. Eve can obtain some information about the transmitted data. 
This information leakage to Eve can be eliminated by privacy amplification at the cost 
of reducing the length of the final key. Privacy amplification requires an exact determination 
of the upper bound of the information leakage to Eve. Thus, the security and robustness 
of the final key totally depends on this determination. The simple criterion for obtaining a 
finite length for the secure final key is still an open question, but the inequality Iab > Iae is 
believed to provide a fairly good criterion; i.e., if the channel noise is such that Iab < Iae for 
any potential eavesdropper, then Alice and Bob should consider the transmission channel to 
be unsafe. On the contrary, if Iab > Iae, they may still be able to extract a safe but much 
shorter cryptographic key. Moreover, in a classical context there is, at least in principle, a 
way for Alice and Bob to exploit any positive difference, Iab — Iae, to create a reliably secret 
string of key bits that has a length of about Iab — Iae [p7H39|. It is therefore important to 



exactly determine the upper bound of the information leakage to Eve from a quantity that 
Alice and Bob can evaluate. 

In the BB84 protocol, Iab can be evaluated directly and Iae can be determined from the 
error rate that Alice and Bob can evaluate. With equiprobable signals, they are given 
by Jab = 1 - H{Qf) and Iae = I - H{Qf), where H{q) = -qlog^ g - (1 - g) log2(l - q) 
is the entropy function (in bits) and is a nonlinear function of q. Since (^Qf — 1/2^ + 

(Qf - 1/2)^ = {[G^y + {G^fj/A = 1/4, Qf and Qf are mutually related. The upper 

plot in Fig. 1 shows Iab, Iae and Iab + Iae plotted against Qf , and the lower plot shows 
G^ and G^ . From this figure, it is clear that there is a trade-off relation between Iab and 
Iae as well as a trade-off relation between G^ and G^. The sum Iab + Iae never exceeds 
unity {Iab + Iae < !)• 

The last inequality, Iab+Iae < 1, is closely related to the information exclusion principle. 
This is because the above eavesdropping strategy can be alternatively viewed as a method 
for simultaneously measuring non-commuting observables. To see this, consider the unitary 
operation in Eqs. (|2.2| ) and (2^) with x = +,F=l{D = 0). This operation is called 



measurement of intensity 7, where ypulipoo) = (V'oolV^ii) = cos 7 = V. l2J] When Alice 
and Bob have chosen the basis +, Eve causes no disturbance and obtains information about 
the bit to the extent that she can distinguish the two vectors V'oo) ''Pti), whose error 



probability is ^ Conversely, if Alice and Bob have chosen the basis x. Eve learns 

nothing and introduces an error with probability Bob's and Eve's information gains 

when Alice transmits bits with the + basis are therefore I^^ = 1 and I^^ = 1 — if ( ^~^^~^^ ), 
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and their information gains when Ahce transmits the bits with the x basis are I^^ = 
1 — H{^-^) and I^^ = 0. Thus, this operation is asymmetric with respect to the basis 
used in which Eve obtains information on the bits sent with one basis at the cost of a 
disturbance in the bits sent with the other basis. In this operation, Eve obtains information 
only about the observable P+{= of the + basis on the system, while Bob obtains 

information about both P+ and Px(= \ix) {ix\) of the x basis. Thus, when Bob observes Px 
and Eve observes P+, the above operation provides a method for simultaneously measuring 
complementary observables, P+ and Px in which the outcome for Eve gives the information 
I^E = Hp'^ P+) that for Bob gives /^^ = /(p; Px) satisfying I^^ + 1^^ < 1. 

When we extend this argument to the symmetric operation associated with an optimal 
eavesdropping strategy, we find I^^ = I^^ = 1 — H{^^) and I^^ = 1^^ = 1 — H{ ) 
because Bob's and Eve's information gains are independent of the basis Alice chose. We 
thus find that the symmetric operation provides a method for simultaneously measuring 
two complementary observables, P+ and Px, even when Bob observes P+. In this case, the 
outcome for Eve gives the information I^^ = I{p; Px) and that for Bob gives 1^^ = I{p; P+). 
When we also take into account the fact that the sifted key involves only the data for which 
Alice's and Bob's bases agree, the above arguments imply that Bob's average information 
gain on the sifted key is given by 

Iab = ^{1 (p,.x ; Px) + / (p.+; P+)}, (2.11) 
whereas Eve's information gain is given by 

Iae = \{I ip^x■,P+) + I (p.+ ; Px)} (2.12) 

for the symmetric operation. 

We can now see that the information exclusion principle leads to the inequality 
Iab + Iae < 1- Since the bases Alice and Bob used in the BB84 protocol are conju- 
gate, |(0x|0+)| = |(Ox|l+)| = Klx|0+)| = Klx|l+)| = 1/^2 holds, and it follows from the 
information exclusion principle that the inequalities 

I{p,+ ;P+) + I{p,+ ;Px) < 1 (2.13) 

J(p,x;P+) + /(ax;Px) < 1 (2.14) 



should hold. Equations ( p.ll|) and ( p.l2|) and inequalities (|2.13|) and (|2.14|) imply that 
Iab + Iae < 1- We therefore conclude that the bound on the sum of Bob's and Eve's 
information Iae + Iae < 1 is a direct consequence of the information exclusion principle; 
that is, the sum can never exceed the maximal amount of information that can be encoded 
in a two-state system. This condition must be met for the BB84 protocol to be secure. 
It is therefore essential in the BB84 protocol to limit the size of the signal space N, as 
is easily found from Eq. (p.l|) . Thus, the conventional BB84 protocol requires use of a 
single-photon carrier with a limited degree for freedom of information encoding such as 
polarization encoding. Meeting this condition ensures that no eavesdropping strategy can 
break this bound. Then, we can safely say that the information leakage to Eve Iae is 
bounded by 1 — Iab which Alice and Bob can also evaluate from the bit error rate in Bob's 
data. Only in such a case, can we establish a provably secure final key by the subsequent 
privacy amplification. 
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It is helpful for later discussion to point out that the information exclusion principle 
is directly related to the fundamental relation between fringe visibility V and which-way 
information (path distinguishability) T>opt in one-particle interferometry [^0|-^. To demon- 



strate this point, we note that the identities |0x) (Ox | + |lx) (Ix | = |0+) (0+| + |1+) (1+| = /, 
|0x) (1x1 + |lx) (0x1 = |0+) (0+1 - |1+) (1+1, and |0+) (1+| + |1+) (0+| = |0x) (Ox| - |lx) (lx| 
hold for a two-state system. We then find that Bob's marginal density matrices or pf^ 
can be rewritten in terms of the complementary basis as 

(2.15) 
(2.16) 
(2.17) 
(2.18) 

These equations are isomorphic to the equations describing one-particle interferometry where 
V gives the fringe visibility and Vo-pt = Vl — gives the maximal which-way information 
(path distinguishabihty), satisfying + < Vlp^ + = 1 [1^,11 ■ Note that the initial 
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states that Alice transmitted are given by setting V = 1 in these equations. This implies 
that the noise introduced by eavesdropping reduces the coherence (the off-diagonal terms) 
of the initial states, and that Bob's bit error probability = due to eavesdropping 
can also be detected by observing the fringe visibility V in some kinds of interferometry. 

To summarize this section, the security of the BB84 protocol totally relies on the quan- 
tum mechanical complementarity. This complementarity gives a firm basis for exact deter- 
mination of the upper bound of the information leakage to eavesdroppers. This enables the 
security of the final key for the BB84 protocol to be mathematically provable. 



III. BB84 PROTOCOL USING TWO COHERENT STATES AND THEIR 

SUPERPOSITION 

The quantum mechanical complementarity and use of a single-photon carrier ensures 
that there is an upper bound on the information leakage to eavesdroppers and enables us 
to determine this bound from the information gain of a legitimate user. The requirement 
for complementarity to be valid states that the conjugate bases must belong to the same 
signal space. In other words, if the mutually complementary observables and bases are chosen 
within the same signal-state space, the BB84 protocol can be constructed. This requirement 
can of course be satisfied when the polarization space of a single photon is used to encode 
information. For this purpose, we require a single-photon source, which has not yet been 
realized. To overcome this difficulty, a self-checking source, the validity of which can be 
self-checked, has been devised by Mayers et al. PB|J¥7| 

Alternatively, many experimental implementations of BB84 have used weak coherent 
pulses (WCP), rather than single photons; in these implementations, four equiprobable 
states given by 
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Oo ) = l«)2' |lo ) = |-«)2 



(3.1) 



were used. Note that \±ia) = (e^f/v^) [\a)Ti\-a)] + 0(a2). Therefore, if we 

consider only the first order in a (i.e., consider only a single-photon component), the four 
states would behave much like the ideal BB84 states. However, if we consider higher orders 
in a, the two states in one basis jio'^^) are no longer linear combinations of the two states 
in the other basis 



■wcp 



''7r/2/' ^^"^ ^'^^s '^ot satisfy the above requirement 0]. As a result, 
this implementation is vulnerable to eavesdropping. When a is large, these states are four 
non-orthogonal states lying in a four- dimensional signal state space instead of two sets of 
two orthogonal states lying in the two-dimensional signal state space used in the original 
single-photon implementation. There are eavesdropping strategies that make use of the 
linear independence of the four states. Figure 2 illustrates the relevant subspace of the four 
states in the entire Hilbert space (the Fock space). Because of the linear independence of 
the states, there are non-overlapping subspaces in the four states. The states lying in this 
subspace can be perfectly distinguished from each other, and a skillful eavesdropper can 
make use of this flaw to obtain information about the key without detection |T3|- p3| , |5^ . 

For example, Reid has described the conclusive-measurement attack, in which Eve can 
sometimes get full information by using an appropriate "positive operator-valued measure" 
(POVM) [Il9| , p8| , |33| , p5| , |56| that conclusively distinguishes such linearly independent states 
||15|| . Such measurement yields no information about the state most of the time, but it some- 
times identifies the state unambiguously. Another strategy, called the generalized beamsplit- 
ter attack, has also been reported on by several authors [0,^,^,0]. Since the polarization 
and photon number are independent observables, there is no problem in principle in select- 
ing a few pulses with two or more photons and separating them into two one-photon pulses 
without changing the polarization, for example, by means of quantum nondemolition mea- 



surement [£8| . Both these attacks are fatal, in particular, if the channel loss between Alice 
and Bob is large enough. This is because Eve can recreate the state near Bob and send it to 
him whenever she is able to measure the signal state unambiguously and can suppress the 
signal without causing errors and reducing the bit rate by substituting a less lossy channel. 
As a result. Eve can obtain information about the key seemingly without introducing errors 
in the transmission. In addition, most importantly, there is no security proof for the BB84 
with WCP implementations as well as the scheme using the two nonorthogonal states [^. 
This is because the quantum mechanical complementary can not work effectively in the 
WCP implementation, and there is no principle for reliably estimating the upper bound of 
the information leakage to eavesdroppers. This weakness of the WCP scheme arises because 
the states |io'^^) and 



■wcp 



''n/2/ linearly independent if we consider the multi-photon compo- 
nents of the signal states |5^. Thus, the use of the four coherent states in Eq. (|3.1| ) with a 
large a is inappropriate for the BB84 protocol, and Alice and Bob must use dim coherent 
pulses each of which, on average, typically contain 0.1 photons for the WCP scheme to 
approximate the single-photon scheme. 

Nevertheless, quantum mechanical complementarity does not forbid us to use the multi- 
photon state to implement the BB84 protocol. To see this, we consider the scheme depicted 
in Fig. ^. Two nearly orthogonal coherent states la) and |— a) are used to carry the key and 
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the superposition of these states {\a) ± \—a))/y2{l ± k) is used to prevent eavesdropping. 

Here, k is the overlap of the two coherent states |a) and \ —a); i.e., k = \ {a\ — a)\ = e~^'"' . 
These states are the "Schrodinger's cat states" and are parity eigenstates that he within the 
relevant two-dimensional signal subspace spanned by , |— «)} in the Fock space |5 



These four states satisfy the requirement for quantum mechanical complementarity to be 
valid, and would therefore behave much like ideal BB84 states. 

In the following, we describe the protocol and explain how eavesdropping is detected. 
Consider the following protocol using only three, instead of four, states. This protocol is not 
the original BB84 protocol and is less efficient, but it is enough to explain the basic idea of 
the present scheme. 

1. Alice first chooses a subset of random positions within a sequence of data being trans- 
mitted. 

2. She then transmits random bits encoded with a set of nearly orthogonal states |0+) = 
|a) and = |— a) for the chosen subset (the first subset) which provides a raw key. 



3. She also transmits either |0x) = {\a) — \—a))/ ^2(1 — k) or |lx) = + 

\—a))/^J2(l + k) for the remaining subset (the second subset) which will be used 
only to detect eavesdropping. 

4. Alice also transmits a strong local oscillator beam (LO) with its polarization rotated 
so as to be orthogonal to the signal beam on the same channel by mixing the beams 
on a polarizing beamsplitter. The mixed beams are then transmitted to Bob. 

5. Bob uses a polarizing beamsplitter to separate the LO from the channel. The polar- 
ization of the LO is rotated by 7r/2 using a A/2-plate so as to match that of the signal. 



With this strong LO, Bob performs balanced homodyne detection |^2[ to measure the 
single field-quadrature X{9) = XaCosO +PaSm9 = {1 / \/2)[e~^^ a + e^^a)] of the signal 
when he receives it, where Xa = {l/\/2)[a + a)], pa = {^/\/2i)[a — a)]. If we assume 
that a is real for simplicity, then 9 is the advance of the signal phase relative to the 
LO phase (which is Bob's controllable parameter). He randomly varies 9 between 
and 7r/2 by changing the LO phase with phase shifter A. (It is possible for Alice and 
Bob to calibrate the phase 9 without introducing any vulnerability.) 

6. After transmission, Alice publicly announces the positions of the first and second data 
subsets. Alice and Bob then discard the part of the first subset of data for which Bob 
measured pa {9 = 7t/2) and the part of the second subset of data for which he measured 
Xa (^ = 0). Bob can obtain the sifted key from the first subset of the remaining data. 

For the moment, let us consider a perfect detector with unit efficiency and negligible 
channel loss. The effects of the detection efficiency and channel loss are considered in the 
next section. In terms of the sifted key, the conditional probability distributions pi+{xa) of 
Bob's output X when Alice transmits signal i obey the Gaussian distributions: 

PO+{Xa) = Tr |0+) {0+\Xa) {Xa\ 

1 

exp 



IT 



1/2 



Xa-{a)f , (3.2) 
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Pl+iXa) = Tr |1 + ) (1+1 a^a) {Xa\ 



71 



1/2 



exp 



- {xa + {a)y 



(3.3) 



where (a) = ^/2 \a\. The standard strategy for Bob to correctly infer the state transmitted 
by Ahce is to set the decision threshold at Xa = 0; i.e., he sets the bit value to when he 
obtains Xq > and to 1 when he obtains Xa < 0. Then, his average error probability has 
finite value Qf{a) = | Erfc [(a)], where Erfc[a;] is the complementary error function defined 



by Erfc[x] = (^l/v27rj J!^ exp [— r^] dr |Q. This is because the two coherent states \a) and 
|— a) are not orthogonal. Bob also checks the second subset of remaining data to detect 
possible eavesdropping. Provided that Alice transmits the |lx) state for the second subset, 
the associated conditional probability distribution pix{Pa) is 



Plx(Pa) = Tr |lx) (1x1 Pa) {Pa\ 



'I + k) 7ri/2 



exp 



-pI 



{l + sin [2 {a) Pa]] 



(3.4) 



Therefore, when Bob builds up the probability distribution pixipa) of getting outcome Pa 
upon measurement of pa-, the distribution should have interference fringes with a period of 
tt/ (a) in the absence of eavesdropping p^|51 |. 

To eavesdrop. Eve can, in principle, use a symmetric strategy by applying a joint unitary 
operation similar to the one shown in Eqs. ( p.2| ) and ( p.3| ). It must involve complex multi- 
photon interaction between the single-mode field of the signal states and the probe system, 
and a physical mechanism that would enable such an operation has been unknown. Even if 
such an operation is realized, we can safely conclude that our proposed scheme is as secure 
as the single-photon case as far as this strategy is concerned by an argument similar to the 
single-photon case. This conclusion is closely related to the fact that the quantum mechani- 
cal superposition of macroscopically distinguishable states cannot be noninvasively measured 
|65| , |66[| , which is essentially a direct consequence of the quantum mechanical complementar- 
ity. Moreover, this scheme is secure against a conclusive-measurement attack because the 
two mutually conjugate sets |i+) and \iy,) are hnearly dependent. In the rest of the paper, we 
thus consider only a simple strategy that can only be used for cryptographic schemes using 
multi-photon states, that is, a beamsplitter attack. We show that the intentional eavesdrop- 
ping activity will be detected by the legitimate users, and explain how the eavesdropping is 
detected. 

We consider the following scenario. Eve uses a beam splitter (BS) to sample part of the 
signal. She sends Bob the part of the signal transmitted through the BS and measures the 
reflected part to gain information about the signal. What we want to know is how much 
she can learn and how much she disturbs the signal state. For this purpose, it is sufficient 
to calculate Eve's error rate Qf on the sifted key for this particular scheme. If we denote 
the signal mode defined by the quantum channel as a and an auxiliary mode introduced at 
the BS as 6, the associated joint unitary operation of the BS on coherent state input is 



|0+)J0), 

|l+)a|0), 



f/B5|-a)jO)b= -VTo) VRa 



(3.5a) 
(3.5b) 



where T = \/l — B? is the transmission coefficient of the BS On the other hand, the 
same unitary operation transforms the |lx) state as 
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|Ox)jO),-.t/. 



BS- 



l«)a+ |-«)a 



2(1 



|0), 



2(1 



{\Vfal 



-\fRa) + 

b 



(3.6) 



This indicates that the resuhant state is entangled with respect to modes a and h even though 
the BS is a hnear device. Therefore, noise is inevitably introduced into the transmission of 
the |lx) state. The associated marginal density matrices, pfj^ and pf^ for Bob and and 
pfx for Eve after the beamsplitter are calculated as 



B 
Plx 



trEUBsPt^®\0),{0\U^I 
trEUBsPix^\0),{0\UB's 

— ^— I Vfa) (Vfa 
2(1 + k) ^ 

+Vb (\VTa)^{-VTa 



±Vfa) (±Vfa 



+ 



(3.7) 



(3.8) 



trBUBsPt+ ® |0), (0| U^l 
trBUBsPt.®\0),{0\U^l 

— — -f VRa) (VRa + -VRa) (-VRa 

1 + I /a\ /a\ 

Ra) (-VRa 



2(1 + 
+Ve 



-VRa 



Ra 



(3.9) 



(3.10) 



where pf^_ 

^-2(l-T)|a|2 



Ra 



Ra) 



H)a(*+I = l±a)a(±«l> P?x = |lx)a(lx|, Vb = 

= (y/Ta — y/Ta) = e"^^'"' (note that VbVe = k), and the upper sign 
(resp. lower sign) corresponds to z = 1 (resp. i = 0). Provided that Eve uses an opti- 
mum decision strategy that results in the smallest possible error when distinguishing two 
non-orthogonal coherent states y/Ra) and —y/Ra) , her error rate Qf is given by 



Qi 



i-v| 



(3.11) 



Such an optimum decision strategy can, in principle, be realized [|6^-[70[|. 

What Alice and Bob want to do is to evaluate Qf or Eve's average information gain 
Iae = 1 — H{Qf) as a function of disturbance observable in the signal that Bob recorded. 
When we note that Eq. ( |3.8|) is formally isomorphic to Eq. (|2.16|) , we find that the most 
appropriate measure of the disturbance is the fringe visibility observable in the probability 
distribution pix (pa)- From Eq. (|37^ ), pi^ (pa) in the presence of eavesdropping can be easily 
calculated as 

Pix(Pa) = Trpfx \pa) (j)a\ = ^ J^/^ [~pI] + ^ssm [2VT{a)pa] } . (3.12) 
The fringe visibility is therefore given by Vb- Figure 4 shows Eve's average information 



gain Iae = 1 — H{Qf) calculated from Eq. (|3.11|) as a function of the fringe visibility Vb 
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This figure clearly indicates that the amount of information leakage to eavesdroppers can be 
estimated from the visibility of the interference fringe in the probability distribution pix{Pa) 
of getting outcome Pa upon homodyne-detection measurement of Pa- It is immediately 
confirmed that the sum of the squared measures of disturbance Vb and distinguishability 



Vb = 1 — 2Qf = y 1 — reaches its expected upper bound of unity; + = 1. This 
indicates that the information leakage to eavesdroppers for a beamsplitter attack reaches its 
upper bound as does that for the more sophisticated symmetric eavesdropping strategy. This 
scheme is thus secure even against the beamsplitter attack even though the multi-photon 
states are used as a signal carrier. 

On the other hand, Bob's information gain Iab = 1 — H{Qf) is easily evaluated by 
publicly revealing a part of his sifted keys. In the case of single-photon implementation, 
Iab is expected to be unity for this type of asymmetric attack. Figure 4 compares Bob's 
information gain Iab = 1 — H{Qf) on the sifted key in the presence of eavesdroppers 
for the average photon number |a| =1 and 2 under the assumption that he performed 
homodyne detection followed by the standard decision strategy. In contrast to the single- 
photon implementation, Bob's information vanishes in the low fringe-visibility region. This 
is because the beamsplitter directs the signal light to Eve and the intensity of the signal 
going to Bob falls to zero. 

Figure 4 indicates that to learn about Alice's state with some degree of accuracy, Bob's 
visibility Vb must not be too large, which implies that the reflection coefficient 1 — T must 
not be too small. The requirements for a large information gain and little disturbance are 
thus incompatible. A large information gain requires a small transmission coefficient, while 
a small disturbance requires a transmission coefficient close to one, and there is no overlap in 
the permitted ranges. Therefore, with this QKD scheme. Eve cannot use beamsplitter attack 
and diverts enough light to gain any useful information without producing a detectable 
disturbance. This confirms the impossibility of noninvasive measurement of the quantum- 
mechanical superposition of macroscopically distinguishable states. The problem for Eve 
is the vacuum noise from the vacant port of the BS. If she samples only a small part 
of the signal, to minimize the disturbance, the noise from the vacuum state obscures the 



information carried by the signal state [14 



IV. DISCUSSION 

The previous section discussed the ideal situation in which channel loss and detector 
inefficiency can be ignored. In this case, the present scheme enables us to exactly determine 
the upper bound of the information leakage to eavesdroppers Iae from the fringe visibility 
of the probability distribution pix (pa)- As a result, its security will, in principle, be provable 
in the ideal case under the assumption that Alice does send cat states. This would be the 
principal advantage of the scheme over the conventional WCP scheme. This scheme also 
offers advantages. First, it involves only quadrature phase measurements, which can be done 
more efficiently than photon counting. Second, this scheme can use a more intense pulse. 
These advantages may allow us to improve the transmission efficiency compared to that of 
the conventional WCP scheme. 

However, in the presence of channel loss and detection inefficiency, the above results 
need to be reconsidered. It is known that the cat state is so fragile that the loss of a single 
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photon may easily destroy the interference fringe observed in the probabihty distribution 
Pix(Pa)- Moreover, the decoherence rate of the cat state is proportional to the distance 

lal 



between the two distinguishable coherent states; i.e., it is proportional to a/1 — 
59| , |6^ . A cat state with a very large average photon number \af decoheres rapidly, and 



thus the present scheme will not be practical. We here briefly describe the effects of channel 
loss and detection inefficiency on the present scheme. Channel loss and detection inefficiency 
are, as usual, modeled by a beam splitter that mixes the signal mode with a vacuum field in 
an auxiliary mode. Thus, these effects are essentially analogous to the beamsplitter attack. 
In other words, neither of these effects can be distinguished from eavesdropping by means 
of local measurement by legitimate users. This would be a weak point in common with 
the cryptographic scheme using a multi-photon nonclassical state as a signal carrier. Let us 
assume that the overall channel loss is ( and the detector efficiency is 77. The above model 
then reveals that Eq. ( 3.12|) is correct if we replace T — »• erjT in Vb and Eq. ( 3.12|) . This 
means that Vb is reduced by a factor e^'^'^^^^'^^'^^"^ and < < e^^*^"'^^^'''""' . Thus, unless 
erj 7^ 1, the visibility is less than unity even if T = 1; i.e., no eavesdropper is present. The 
legitimate users can measure the detection efficiency locally though. Thus, its effect may 
be subtracted when determining the upper bound of the information leakage to Eve from 
the observed visibility. Moreover, if legitimate users have a reliable way to evaluate the 
channel loss, its effect may also be subtracted. However, when 2(1 — erj) \af ^ 0, Vb ~ 0. 
Eavesdropping would then be very difficult to detect from the subtle changes in Vb, and 
this scheme would not be practical. Thus, 1 — erj and |a| need to be very small for this 
scheme to work. In practice, even a minor 3-dB loss {erj = 0.5) will make it hard to use this 
scheme, unless |a| is small. It is this extreme sensitivity of the nonclassical field state to the 
environment that enables us to detect eavesdropping. In contrast, the channel loss is simply 
discarded in the WCP scheme, but this discarding also makes the WCP scheme vulnerable 
because eavesdroppers have chance to use it while substituting a superior channel to escape 
detection. 

On the other hand, there is a lower bound on |q;| that enables use of the cat state to 
detect eavesdropping. To evaluate the fringe visibility, there should be at least one oscillation 
in the distribution pix{Pa) within the Gaussian contour exp [— p^]- This requirement should 
impose the inequality Apa = n / {2^/2eT]T \a\) < 2Vln2. If we note that erjT < 1, |a| > 
7r/(4A/2 In 2) ~ 0.67 is required. Thus, a cat state with an average photon number of 
the order of unity is appropriate for our scheme. In this sense, what is needed is not a 
"macroscopic" quantum superposition but a "mesoscopic" quantum superposition which 
should be easier to create. The present scheme is effective only if a good channel with low 
loss, a highly efficient detector, and a mesoscopic cat state are available. 

Hillery's idea of using phase-sensitive amplifiers to boost the signal and partially compen- 
sate for the effect of losses for a cryptographic scheme using the squeezed state is interesting. 
When a device that can amplify the cat state becomes available in the future, his idea can 
also be applied to the present scheme: if such a device is used in the secure station in the 
channel, it can partially compensate for the effect of losses by amplifying only the cat state 
in accord with the state Alice sends, and otherwise it can compensate the effect by randomly 



amplifying the signal and discarding a part of the data. [|T4| 

The problem with the cryptographic scheme using a multi-photon nonclassical state 
comes from the fact that the state after eavesdropping and the state after losses are indistin- 
guishable. A cryptographic scheme using a single photon seems not to have such a problem. 
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This is because the state after photon loss is a vacuum state that spans a subspace different 
from the signal space of a single-photon state. Such a scheme can conclusively distinguish a 
photon-loss event and uses only the photons that did not get absorbed. Thus, it can over- 
come 10 dB of losses. That, in essence, is why conventional quantum cryptography using 
single photons can work so well in the presence of channel loss and detection inefficiency. 
We should, however, remember that this is true only with the assumption that the appara- 
tus used by Alice to produce the photon is perfect 0. To confirm that this assumption is 
valid, we must check that the signal space is limited to two-dimensional space; i.e., whether 
the photon source is a good single-photon source. This check can be accomplished through 
observation of the nonlocal properties inherent in quantum mechanics, such as violation of 
Bell's inequality |^6| and Bell's theorem without inequalities associated with an entangled 
tripartite system, [0,0 to ensure that the photon source is a perfect single-photon source. 
This is because no local photon source other than a perfect single-photon source can repro- 
duce the results observed nonlocally between legitimate users. However, note that 
the rigorous test for a violation of Bell's inequality and Bell's theorem associated with an 
entangled tripartite system is possible only if the product of the channel loss and detection 
efficiency is higher than some lower limit of around 80%. [[r^-|7^ If the loss and efficiency 
product is below this lower limit, an auxiliary assumption (a fair-sampling assumption) that 
the fraction of detected pairs is representative of the entire ensemble is required to rule out 
any local realistic model that can reproduce the observed results and to prove the security 
of the BB84 protocol without any loophole. |l72|-[74| 

The current feasibility of the present scheme is limited by the difficulty of preparing 
the cat state with today's technology in addition to channel loss and detector inefficiency. 
However, a development of a quantum gate will help us to obtain the cat state through a 
swapping operation between a coherent state and a more easily created superposition 
state of a single quanta [|60| ,f7^. 



V. CONCLUSION 

It is a distinct feature of the ideal BB84 protocol that its security is mathematically 
provable. This is possible because quantum mechanical complementarity enables us to de- 
termine the upper bound of the information leakage to eavesdroppers. We have shown that 
complementarity allows also use of multi-photon states as a signal carrier in the BB84 QKD 
protocol, and have described a scheme that uses two nearly orthogonal coherent states to 
carry the key where the superposition of these states protects the communication channel 
from eavesdropping. This scheme is based on complementarity as is the conventional BB84 
scheme. We expect this scheme to be as secure as the conventional single-photon scheme 
and secure against any eavesdropping strategy. The disappearance of interference fringes in 
the homodyne detection used to decode the key clearly indicates eavesdropping activity, and 
the upper bound of information leakage to eavesdroppers can be exactly determined from 
the visibility of the interference fringes which is measurable from the homodyne detection. 
As a result, this scheme will be provably secure as long as a good channel with negligible 
loss, a highly efficient detector, and a mesoscopic cat state are available. 

Unfortunately, this scheme is very sensitive to losses and is not practical in the presence 
of high channel loss and detection inefficiency. In this case, a single-photon implementation 
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would be preferable, although the provable security still requires low channel loss and high 
detection efficiency. 
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FIGURES 

FIG. 1. Upper plot: Bob's information gain Iab, Eve's information gain Iae and their sum 

Iab + Iae are plotted against Bob's error probability Qf when Eve applys an optimum eaves- 
dropping strategy. Lower plot: measures of information gained by Bob (G^) and by Eve (G^) are 
plotted. 

FIG. 2. The relevant subspace of the four weak coherent states in the entire Hilbert space (the 
Fock space) . The parts of the four circles that do not overlap indicate the linear independence of 
the states. 

FIG. 3. The basic idea of the proposed QKD scheme. Alice and Bob use two nearly orthogonal 
coherent states to carry the key and the superposition of these states (cat states) to protect from 
eavesdropping. Eavesdropping is detected from the disappearance of the interferential fringes in the 
distribution of the outcome when a certain quadrature component is measured by the homodyne 
detection. 

FIG. 4. Information leakage to Iae (a solid line) and Bob's average information gain Iab 
(broken lines) as a function of the fringe visibility Vb = e^^^^"-^)!"!^ in the probability distribution 
Pix{Pa) recorded by Bob. Iab was evaluated at the average photon number \a\^ = 2 and \a\^ = 1. 
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